We're currently building a Webapp that serves multiples subdomains (wildcard subdomain). In our app, users may be authenticated for one or many subdomains (just like Basecamp does).
We want to know what's the best strategy to save and load users credential. The main problem is that our users may have differents roles in differents subdomains (they may be administrator, account owners, clients, etc) and they use the same credentials to signin all subdomains. We're using ASP.net MVC2 & .Net 4.0.
The options we're considering are :
loading all user information and roles at signin and save it in Session (Session is saved in SQL Server DB)
saving only the UserId in session. At each request, based on the request subdomain, we reload the role and check the authorization for the requested operation.
saving the UserId in a cookie and performs the same load strategy as the previous option.
Thank you very much for your help!